Europaisches 
Patent 




Bescheinigung 



European 
Patent Office 



Certificate 



Office europeen 
des brevets 



Attestation 



Die angehefteten Unterla- 
gen stimmen mit der 
ursprunglich eingereichten 
Fassung der auf dem nach- 
sten Blatt bezetchneten 
europaischen Patentanmel- 
dung uberein. 



The attached documents 
are exact copies of the 
European patent application 
described on the following 
page, as originally filed. 



Les docunnents fixes a 
cette attestation sont 
conformes a la version 
initialement deposee de 
la demande de brevet 
europeen specifiee a la 
page suivante. 



Patentanmeldung Nr. Patent application No. Demande de brevet n** 

99401048.6 



Der Prasident des Europaischen Patentamts; 
Im Auftrag 

For the President of the European Patent Office 
Le President de r Office europeen des brevets 

P.O. 




LLC. HATTEN-HECKMAN 



DEN HAAG,DEN 

THE HAGUE, 17/04/00 

LA HAYE,LE 



EPA/EPO/OEB Form 1014 -02.91 



Europaisches European Office europeen 

Patentamt Patent Office des brevets 



Blatt 2 der Bescheinigung 
Sheet 2 of the certificate 
Page 2 de Tattestation 



99401048.6 



Anmeldung Nr: 
Application no.: 
Oemande nV 

An me) der: 
Applicant(s): 
Deniandeur(s): 
BULL CPS 

78430 Louvedennes 

FRANCE 

NDS LIMITED 

West Drayton, Middlesex UB7 ODQ 

UNITED KINGWDM^ 
Bezeicnnung der trfindung: 
Title of the invention: 
Tttre de ('invention: 

Publ1c-key signature nkethods and systems 



Anmeldetag: 
Date of filing: 
Date de depot: 



29/04/99 



In Anspruch genommene Prioriat(en) / Priority(ies) claimed / Priorite(s) raven diquee(s) 

Staat Tag: AWenzeichen: 

State Date: Fi'e "<> 

Pays; Date: Numero de depot: 



Internationale Patentklassifikation: 
International Patent classification: 
Classification Internationale des brevets: 

H04L9/32 



Am Anmeldetag benannte Vertragstaaten: «^m^c- 

Contracting states designated at date of filing: AT/BE/CH/CY/DE/DK/ES/FI/FR/GB/GR/IE/IT/LI/LU/MC/NLyPT/SE 
Etats contractants designes lors du depot: 

Bemerkungen: 

Remarks: 

Remarques: 



EPA/EPO/OEB Form 1012 -04.98 



<1> 
o 



PUBLIC-KEY SIGNATURE METHODS AND SYSTEMS 



FIELD OF THE INVENTION 

5 The present invention generally relates to cryptography, and more 

particularly to public-key cryptography. 

BACKGROUND OF THE INVENTION 

10 The first public-key cryptography scheme was introduced in 1975. 

Since then, many public-keys schemes have been developed and published. Many 
public-key schemes require some arithmetic computations modulo an integer n, 
where today n is typically between 5 12 and 1024 bits. 

Due to the relatively large number of bits n, such public-key 

15 schemes are relatively slow in operation and are considered heavy consumers of 
random-access-memory (RAM) and other computing resources. These problems 
are particularly acute in applications in which the computing resources are 
limited, such as smart card appUcations. Thus, in order to overcome these 
problems, other families of public-key schemes which do not require many 

20 arithmetic computations modulo n have been developed. Among these other 
famiUes are schemes where the public-key is given as a set of k multivariable 
polynomial equations over a finite mathematical field K which is relatively small, 
e.g., between 2 and 2^. 

The set of k multivariable polynomial equations can be written as 

25 follows: 



yi =Pi(xi,...,Xn) 

y2 = P2(xi,...,x„) 



yk = Pk(Xi,.-.,Xn), 

where Pi,..,, Pk are multi variable polynomials of small total degree, typically, 
less than or equal to 8, and in many cases, exactly two. 

Examples of such schemes include the C* scheme of T. Matsumoto 

10 and H. Imai, the HFE scheme of Jacques Patarin, and the basic form of the "Oil 
and Vinegar" scheme of Jacques Patarin. 

The C* scheme is described in an article titled "Pubhc Qixadratic 
Polynomial-tuples for Efficient Signature Verification and Message-encryption" 
in Proceedings of EUROCRYPT'88, Springer- Verlag, pp. 419 - 453. The HFE 

15 scheme is described in an article titled "Hidden Fields Equations (HFE) and 
Isomorphisms of Polynonuals (DP): Two New Families of Asymmetric 
Algorithms" in Proceedings of EUROCRYPT'96, Springer-Verlag, pp. 33 - 48. 
The basic form of the "Oil and Vinegar" scheme of Jacques Patarin is described 
in an article tided "The Oil and Vinegar Signature Scheme" presented at the 

20 Dagstuhl Workshop on Cryptography in September 1997, 

However, the C* scheme and the basic form of the "Oil and 
Vinegar"' scheme have been shown to be insecure in that cryptanalysis of both the 
C* scheme and the basic form of the "Oil and Vinegar" scheme have been 
discovered and pubhshed by Aviad Kipnis and Adi Shamir in an article tided 

25 "Cryptanalysis of tiie Oil and Vinegar Signature Scheme" in Proceedings of 
CRYPTO'98, Springer-Verlag LNCS n''1462, pp. 257 - 266. Weaknesses in 
construction of the HFE scheme have been described in two unpublished articles 
tided "Cryptanalysis of the HFE Public Key Cryptosystem" and 'Practical 
Cryptanalysis of the Hidden Fields Equations (HFE)", but at present, the HFE 



scheme is not considered compromised since for well chosen and still reasonable 
parameters, the nxmiber of computations required to break the HFE scheme is still 
too large. 

Some aspects of related technologies are described in the following 

5 publications: 

US Patent 5,263,085 to Shamir describes a new type of digital 
signature scheme whose security is based on the difficulty of solving systems of k 
polynomial equations in m unknowns modulo a composite n; and 

US Patent 5,375,170 to Shamir describes a novel digital signature 
10 scheme which is based on a new class of birational permutations which have 
small keys and require few arithmetic operations. 

The disclosures of all references mentioned above and throughout 
the present specification are hereby incorporated herein by reference. 



SUMMARY OF THE INVENTION 



The present invention seeks to improve security of digital signature 
cryptographic schemes in which the public-key is given as a set of k 
multivariable polynonual equations, typically, over a finite mathematical field K. 

20 Particularly, the present invention seeks to improve security of the basic form of 
the "Oil and Vinegar^' and the HFE schemes. An "Oil and Vinegar" scheme 
which is modified to iminrove security according to the present invention is 
referred to herein as an unbalanced "Oil and Vinegaf' (UOV) scheme. An HFE 
scheme which is modified to improve security according to the present invention 

25 is referred to herein as an HFEV scheme. 

In the present invention, a set SI of k polynomial fimctions is 
supplied as a public-key. The set SI preferably includes the fimctions 
Pi(xi,...,Xn^v, yi,...,yk),.. , Pk(xi„..,x„^v, yi,...,yk), where k, V, and n are integers, 
xi,...,x„+v are n+v variables of a first type, and yi,. . .,yk are k variables of a second 



type. The set SI is preferably obtained by applying a secret key operation on a set 
S2 of k polynomial fimctions P^(au...,an+v,yi,...,yk)..-.,P'k(ai,...,wyi,...,yk) 
where ai,...,an+v are n+v variables which include a set of n "oil" variables ai,...,an, 
and a set of v "vinegar" variables a„+i,...,a„+v. It is appreciated that the secret key 
5 operation may include a secret affine transfomiation s on the n+v variables 
ai,...,an-i-v- 

When a message to be signed is provided, a hash function may be 
applied on the message to produce a series of k values bi,...,bk. The series of k 
values bi,.,.,bk is preferably substituted for the variables yi,...,yk of the set S2 
10 respectively so as to produce a set S3 of k polynomial functions 
P"i(ai,..,,an+v),..., P''k(ab...,a„+v). Then, v values a'n+i,...,a'n+v may be selected 
for the V 'Sanegaf" variables an+i,...,an+v, either randomly or according to a 
predetermined selection algorithm. 

Once the v values a'^+i,. .,a'n+v are selected, a set of equations 
15 P''i(ai,...,an,aVi, .,a'n+v)=0,..., P'\(ai,...,afl,a'a+i,. .,a'n+v)=0 is preferably solved 
to obtain a solution for a'i,..,,a'n. Then, the secret key operation may be applied 
to transform a*i,...,a'o+v to a digital signature ei,...,en+v- 

The generated digital signature ei,...,en^-v may be verijBed by a 
verifier which may include, for example, a computer or a smart card. In order to 
20 verify the digital signature, the verifier preferably obtains the signature ei,...,en+v, 
the message, the hash function and the public key. Then, the verifier may apply 
the hash function on the message to produce the series of k values bi,. . .,bic. Once 
the k values bi,...,bk are produced, the verifier preferably verifies the digital 
signature by verifying that the equations Pi(ei,..,,en+v,bi,. . .,bk)=0,. . ., Pk(ei,...,en+v, 
25 bi, . . .,bk)=0 are satisfied. 

There is thus provided in accordance with a preferred embodiment 
of the present invention a digital signature cryptographic method including the 
steps of supplying a set SI of k polynomial functions as a public-key, the set SI 
including the fimctions Pi(xi,...,Xn+v, yi,.. ,yk)»- -, Pk(xi,...,Xn+v, yi,...,yk). where 



k, V, and n are integers, Xi,..,,Xn+v are n+v variables of a first type, yj,. . .,yk are k 
variables of a second type, and the set S 1 is obtained by applying a secret key 
operation on a set S2 of k polynomial functions 
P'i(ai,...,a„+v,yi, . .,yk),. . .,P'k(ai,...,an+v,yi,. • .,yk) where ai,...,a„^v are n+v 
5 variables which include a set of n "oil" variables ai,...,a„, and a set of v "vinegar"' 
variables an+i,...,an+v, providing a message to be signed, applying a hash function 
on the message to produce a series of k values bi,...,bk, substituting the series of 
k values bi,...,bk for the variables yi,...,yk of the set S2 respectively to produce a 
set S3 of k polynomial functions P"i(ai,..,,a„+v),..., P'\(ai,...,an+v), selecting v 

10 values a'„+i,...,a'n^v for the v "vinegar" variables an+i,.,.,at.+v, solving a set of 
equations P"i(ai,...,a«,a'a+u...,a'n^v)=0,..., P"k(ai,...,a„,aVi,. .,a'a+v)=0 to obtain 
a solution for a'i,.-,,a'n, and applying the secret key operation to transform 
a'i,..,,a'„+v to a digital signature ei,...,en+v. 

Preferably, the method also includes the step of verifying the digital 

15 signature. The verifying step preferably includes the steps of obtaining the 
signature ei,..,,en+v, the message, the hash function and the pubhc key, applying 
the hash function on the message to produce the series of k values bi,,..,bic and 
verifying that the equations Pi(ei,,..,en+v,bi,,..,bk)^0,,.., Pk(ei,...,ett+v, bi,..., 
are satisfied. 

20 The secret key operation preferably includes a secret affine 

transformation s on the n+v variables ai,.,.,an+v- 

Preferably, the set S2 includes the set f(a) of k polynomial 
functions of the HFEV scheme. In such a case, the set S2 preferably includes an 
expression including k functions that are derived from a univariate polynomial. 
25 The univariate polynomial preferably includes a univariate polynomial of degree 
less than or equal to 100,000. 

Alternatively, the set S2 includes the set S of k polynomial 
functions of the UOV scheme. 



The supplying step may preferably include the step of selecting the 
number v of "vinegar'' variables to be greater than the number n of "oil" 
variables. Preferably, v is selected such that q'' is greater than 2^^, where q is the 
number of elements of a finite field K. 
5 In accordance v^th a preferred embodiment of the present 

invention, the supplying step includes the step of obtaining the set SI fi^om a 
subset S2' of k polynomial functions of the set S2, the subset S2' being 
characterized by that all coeflBcients of components involving any of the yi, . . .,yk 
variables in the k polynomial fimctions 

10 P^(ai,...,a„+v,yi,...,yO,^ .,P'k(ai,...,an+v,yi,.. ,yk) are zero, and the number v of 
"vinegaf' variables is greater than the number n of "oil" variables. 

Preferably, the set S2 includes the set S of k polynomial fimctions 
of the UOV scheme, and the number v of "vinegar" variables is selected so as to 
satisfy one of the following conditions: (a) for each characteristic p of a field K 

15 in an "Oil and Vinegar" scheme of degree 2, v satisfies the inequality q^^ ^'^^x > 
2"^, (b) for p = 2 in an "Oil and Vinegar" scheme of degree 3, v is greater than 
n*(l + sqrt(3)) and lower than or equal to n^/6, and (c) for each p other than 2 in 
an "Oil and Vinegar" scheme of degree 3, v is greater than n and lower than or 
equal to n^/6. 

20 There is also provided in accordance with a preferred embodiment 

of the present invention an improvement of an "Oil and Vinegar" signature 
method, the improvement including the step of using more 'Sonegar" variables 
than "oil" variables. Preferably, the number v of 'Sdnegar" variables is selected so 
as to satisfy one of the following conditions: (a) for each characteristic p of a 

25 field K and for a degree 2 of the "Oil and Vinegar" signature method, v satisfies 
the inequality q^^-"^^x n^ > 2^, (b) f or p = 2 and for a degree 3 of the "Oil and 
Vinegar^' signature method, v is greater than n*(l + sqrt(3)) and lower than or 
equal to nV6, and (c) for each p other than 2 and for a degree 3 of the "Oil and 
Vinegar" signature method, v is greater than n and lower than or equal to n /6. 



BRIEF DESCRIPTION OF THE DRAWINGS 



The present invention will be understood and appreciated more 
fully from the following detailed description, taken in conjunction with the 
5 drawings in which: 

Fig. 1 is a simplified block diagram illustration of a preferred 
implementation of a system for generating and verifying a digital signature to a 
message, the system being constructed and operative in accordance with a 
preferred embodiment of the present invention; 
10 Fig. 2A is a simplified flow chart illustration of a preferred digital 

signature cryptographic method for generating a digital signature to a message, 
the method being operative in accordance with a preferred embodiment of the 
present invention; and 

Fig, 2B is a simplified flow chart illustration of a preferred digital 
15 signature cryptographic metihiod for verifying the digital signature of Fig. 2A, the 
method being operative in accordance with a preferred embodiment of the present 
invention. 



DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 

20 

Reference is now made to Fig. 1 which is a simplified block 
diagram iQustration of a preferred implementation of a system 10 for generating 
and verifying a digital signature to a message, the system 10 being constmcted 
and operative ia accordance with a preferred embodiment of the present 
25 invention. 

Preferably, the system 10 includes a computer 15, such as a general 
piupose computer, which commimicates with a smart card 20 via a smart card 
reader 25. The computer 15 may preferably include a digital signature generator 
30 and a digital signature verifier 35 which may communicate data via a 



communication bus 40. The smart card 20 may preferably include a digital 
signature generator 45 and a digital signature verifier 50 which may communicate 
data via a commimication bus 55. 

It is appreciated that in typical public-key signature scheme 

5 applications, a signer of a message and a receptor of a signed message agree on a 
public-key which is published, and on a hash function to be used. In a case that 
the hash function is compromised, the signer and the receptor may agree to 
change the hash function. It is appreciated that a generator of the public-key need 
not be the signer or the receptor. 

10 Preferably, the digital signature verifier 35 may verify a signature 

generated by one of the digital signature generator 30 and the digital signature 
generator 45. Similarly, tihe digital signature verifier 50 may verify a signature 
generated by one of the digital signature generator 30 and the digital signature 
generator 45. 

15 Reference is now made to Fig. 2A which is a simplified flow chart 

illustration of a preferred digital signature cryptographic method for generating a 
digital signature to a message in a first processor (not shown), and to Fig. 2B 
which is a simplified flow chart illustration of a preferred digital signature 
cryptographic method for verifying the digital signature of Fig. 2A in a second 

20 processor (not shown), the methods of Figs. 2A and 2B being operative in 
accordance Avith a preferred embodiment of the present invention. 

It is appreciated that the methods of Figs. 2A and 2B may be 
implemented in hardware, ia software or in a combination of hardware and 
software. Furthermore, the first processor and the second processor may be 

25 identical. Alternatively, the method may be implemented by the system 10 of Fig, 
1 in which the first processor may be comprised, for example, in the computer 
15, and the second processor may be comprised in the smart card 20, or vice 
versa. 



The methods of Fig. 2A and 2B, and applications of the methods of 
Figs. 2A and 2B are described in Appendix I which is incorporated herein. The 
applications of the methods of Figs. 2A and 2B may be employed to modify the 
basic form of the "Oil and Vinegaf' scheme and the HFE scheme thereby to 
5 produce the UOV and the HFEV respectively. 

Appendix I includes an impublished article by Aviad Kipnis, 
Jacques Patarin and Louis Goubin submitted for publication by Springer- Verlag 
in Proceedings of EUROCRYPT'99 which is scheduled on 2 - 6 May 1999. The 
article included in Appendix I also describes variations of the UOV and the 
10 HFEV schemes with small signatures. 

In the digital signature ciyptographic method of Fig. 2A, a set S 1 of 
k polynomial functions is preferably supphed as a pubUc-key (step 100) by a 
generator of the public-key (not shown) which may be, for example, the 
generator 30 of Fig. 1, the. generator 45 of Fig. 1, or an extemal public-key 
15 generator (not shown). 

The set SI preferably includes the functions Pi(xi,.,.,Xn+v, 
yi, . .,yk)> • . Pk(xi,...,Xn+v, yi, - .,yk), where k, V, and n are integers, xi,...,x„+v are 
n+v variables of a &st type, and yi,. . .,yk are k variables of a second type. The set 
SI is preferably obtained by applying a secret key operation on a set S2 of k 
20 polynomial functions P'i(ai,...,a,i+v,yi, . . .,yk).- - ^P'kCai,. .,an+v,yi,. - .,yic) where 
ai,...,an+v are n+v variables which include a set of n "oil" variables ai,...,an, and a 
set of V ''vinegar" variables an-fi,..-,a„+v. It is appreciated that the secret key 
operation may include a secret afBne transformation s on the n+v variables 
ai,...,an+v 

25 The terms "oil" variables and "vinegar" variables refer to "oil" 

variables and "vinegar" variables as defined in the basic form of the "Oil and 
Vinegar" scheme of Jacques Patarin which is described in the above mentioned 
article titled "The Oil and Vinegar Signature Scheme" presented at the Dagstuhl 
Workshop on Cryptography in September 1997. 



Preferably, when a message to be signed is provided (step 105), a 
signer may apply a hash function on the message to produce a series of k values 
bi,...,bk (step 110). The signer may be, for example, the generator 30 or the 
generator 45 of Fig. 1. The series of k values bi,,..,bk is preferably substituted for 
5 the variables yi,...,yk of the set S2 respectively so as to produce a set S3 of k 
polynomial functions P"i(ai,...,an+v),.-., P''k(ai,...,an+v) (step 115). Then, v values 
a'n+u- -^aVv may be randomly selected for the v "vinegar" variables an+i,...,aQ+v 
(step 120). Alternatively, the v values a'n+i, ..,a'n+v may be selected according to a 
predetermined selection algorithm. 

10 Once the v values a'n+i,...,a'n+v are selected, a set of equations 

P"i(ai,...,ao,a^+i,...,a'„+v)=0,-.-, P"k(ai,...,a„,a'a+i,...,a'a^v)=0 is preferably solved 
to obtain a solution for a'i,...,a'n (step 125). Then, the secret key operation may 
be applied to transform a'i,...,a'n+v to a digital signature ei,...,en+v (step 130). 

The generated digital signature ei,...,en+v may be verified according 

15 to the method described with reference to Fig. 2B by a verifier of the digital 
signature (hot shown) which may include, for example, the verifier 35 or the 
verifier 50 of Fig. 1. In order to verify die digital signature, the verifier preferably 
obtains the signature ei,...,en+v, the message, the hash function and the public key 
(step 200). Then, the verifier may apply the hash function on the message to 

20 produce the series of k values bi,. . .,bk (step 205). Once the k values bj,. . .,bk are 
produced, the verifier preferably verifies the digital signature by verifying that 
the equations Pi(ei,...,e„+v,bi,...,bk)=0,..., Pk(ei,...,en^v, bi,...,bk)=0 are satisfied 
(step 210). 

It is appreciated that the generation and verification of the digital 
25 signature as mentioned above may be used for the UOV by allowing the set S2 to 
include the set S of k polynomial functions of the UOV scheme as described in 
Appendix I, Altematively, the generation and verification of the digital signature 
as mentioned above may be used for the HFEV by allowing the set S2 to include 



ja^M^il ' S^SIBP'^ Iff ^^Bl 

11 

the set f(a) of k polynomial functions of the HFEV scheme as described in 
Appendix 1. 

As mentioned in Appendix I, the methods of Figs. 2A and 2B 
enable obtaining of digital signatures which are typically smaller than digital 
5 signatures obtained in conventional number theoretic cryptography schemes, such 
as the well known RSA scheme. 

In accordance with a preferred embodiment of the present 
invention, when the set S2 includes the set S of k polynomial functions of the 
UOV scheme, the set SI may be supplied with the mmiber v of "vinegar" 
10 variables being selected to be greater than the mmiber n of "oil" variables. 
Preferably, v may be also selected such that q'' is greater than 2^^, where q is the 
number of elements of a finite field K over which the sets SI, S2 and S3 are 
provided. 

Further preferably, the SI may be obtained from a subset S2' of k 
15 polynomial functions of the set S2, the subset S2' being characterized by that all 
coefiBcients of components involving any of the yi,. .,yk variables in the k 
polynomial functions P^(ai,...,a^^v,yi,. .,yk), .■,P'k(ai,...,an+v,yi,...,yk) are zero, 
and the number v of "vinegar" variables is greater than the number n of "oil" 
variables. 

20 In the basic "Oil and Vinegar^' scheme, the number v of "vinegar" 

variables is chosen to be equal to the number n of "oil" variables. For such a 
selection of the v variables, Aviad Kipnis, who is one of the inventors of the 
present invention, and Adi Shamir have shown, in the above mentioned 
Proceedings of CRYPTO 98, Springer, LNCS n°1462, on pages 257 - 266, a 

25 cryptanalysis of the basic "Oil and Vinegar" signature scheme which renders the 
basic "Oil and Vinegar" scheme insecure. Additionally, by applying the same 
method described by Kipnis and Shamir, the basic "Oil and Vinegar" scheme 
may be shown to be insecure for any number v of 'Vinegar" variables which is 
lower than the mmiber n of "oil" variables. 



if 



The inventors of the present invention have found, as described in 
Appendix I, that if the "Oil and Vinegar" scheme is made imbalanced by 
modifying the "Oil and Vinegar" scheme so that the nmnber v of "vinegar" 
variables is greater than the nmnber n of "oil" variables, a resulting unbalanced 
5 "Oil and Vinegar" (UOV) scheme may be secure. 

Specifically, for a UOV of degree 2 and for all values of p, where p 
is a characteristic of the field K, i.e., the additive order of 1, the UOV scheme is 
considered secure for values of v which satisfy the inequality q^''"^*x n" > 2'*°. It 
is appreciated that for values of v which are higher than n^/2 but less than or 
10 equal to n^, the UOV is also considered secure, and solving the set SI is 
considered to be as difficult as solving a random set of k equations. For values of 

V which are higher than n^, the UOV is believed to be insecure. 

Furthermore, for a UOV of degree 3 and for p = 2, die UOV 
scheme is considered secure for values of v which are substantially greater than 
15 n*(l + sqrt(3)) and lower than or equal to n^/6. It is ^preciated that for values of 

V which are higher than n^/6 but lower than or equal to the UOV is also 
considered secure, and solving the set Si is considered to be as difficult as 
solving a random set of k equations. For values of v which are higher than nV2, 
and for values of v which are lower than n*(l + sqrt(3)), the UOV is beUeved to 

20 be insecure. 

Additionally, for a UOV of degree 3 and for p other than 2, the 
UOV scheme is considered secure for values of v which are substantially greater 
than n and lower than or equal to nV6. It is appreciated that for values of v which 
are higher than nV6 but lower than or equal to n^ the UOV is also considered 
25 secure, and solving the set S 1 is considered to be as difficult as solving a random 
set of k equations. For values of v which are higher than n'*, and for values of v 
which are lower than n, the UOV is believed to be insecure. 

Preferably, in a case that the set S2 includes die set f(a) of k 
polynomial fimctions of the HFEV scheme, the set S2 may include an expression 



which includes k functions that are derived from a univariate polynomial. 
Preferably, the univariate polynomial may include a polynomial of degree less 
than or equal to 100,000 on an extension field of degree n over K. 

Example of parameters selected for the UOV and the HFEV 
5 schemes are shown in Appendix 1. 

It is appreciated that various features of the iavention which are, for 
clarity, described in the contexts of separate embodiments may also be provided 
in combination in a single embodiment. Conversely, various features of the 
invention which are, for brevity, described in the context of a single embodiment 
10 may also be provided separately or in any suitable subcombination. 

It will be appreciated by persons sldlled in the art that the present 
invention is not limited by what has been particularly shown and described 
hereinabove. Rather the scope of the invention is defined only by the claims 
which follow. 



Unbalanced Oil and Vinegar Signature Schemes 

Aviad Kipais 
NDS Technologies 
5 Hamaxpe St. Har Hotzvim 
Jerusalem - Israel 
e-mail : akipiiis@ncisisr2Lel.com 

Jacques Patarin, Louis Goubin 
Bull SmaxtCaxds and Terminals 
68 route de Versailles - BP 45 
78431 Louveciennes Cedex - France 
e-mctil : {jacques.patarin,louis.goubin}@bull.net 

Abstract 

In [9], J. Patarin designed a new scheme, called "oil and vinegar", for computing asymmetric 
signatures. It is very simple, can be computed very fast (both in secret and public key) and requires 
very little RAM in smaitcard implementations. The idea consists in hiding quadratic equations m n 
unknowns caUed "oil" and v = n unknowns called *Sinegar" over a finite field with linear secret 
functions. This original scheme was broken in [5] by A. Kipnis and A. Shamir. In this paper, we 
study some very simple variations of the original scheme where v > n (instead of v = n). These 
schemes are called 'Unbalanced OU and Vinegar" (UOV), since we have more "vinegai" unknowns 
than "oil" unknowns. We show that, when v ~ tz, the attack of [5] can be extended, but^ when 
V > 2n for example, the security of the scheme is still an open problem. Moreover, when v ~ the 
se^Iirity of the scheme is exactly equivalent (if we accept a very natural but not proved property) to 
the problem of solving a random set of n quadratic equations in ^ unknowns (with no trapdoor). 
However, we show that when v > n\ finding a solution is generaUy easy. In this paper we also 
present some practical values of the parameters, for which no attacks are known. The length of 
the signatures can be as short as 192 bits. We also study schemes with pubhc keys of degree three 
instep of two. We show that no significant advantages exist at the present to recommend schemes 
of degree three instead of two. 

1 Introduction 

Since 1985, various authors (see [2], [4], [7], [8], [9], [10], [11] for example) have suggested some public 
key schemes where the pubUc key is ^ven as a set of multivariate quadratic (or higher degree) equations 

over a small finite field K. « , , / ^ r«i> / • *u a^^^i^ r-o<=o^ 

The general problem of solving such a set of equations is NP-hard (cf [3]) (even m the quadratic case) 
Moriver. when the number of unknowns is. say, n > 16, ti^^^^^^^^^'^'^^^Sonthms are often ^^^^ 
significantly better than exhaustive search (when n is very small. Grobner bases algorithms might be 

Ttrschimes are often very efficient in terms of speed or RAM required in a smartca^d j^^Pl^^^^^/^f °° 
(however, the length of the pubUc key is generally > 1 Kbjje)- The most senous P-blem. ^^^^^ - 
order to introduce a trapdoor (to aUow the computation of signatures or to allow the d«^Pj^°^ °J 
messages when a secret b known), the generated set of pubUc equations genera^y becomes a sma^ 
subset^of all the possible equations and. in many cases, the algorithms have been broken. For exa^F^e 
[2] was broken by their authors, and [7] and [9] were broken. However, many schenjes are stiU not 
broken (for example [8]. [10]. [11]). and also in many cases, some very simple ^"^f 
sueeested in order to repair the schemes. Therefore, at the present, we do not know whether this idea 
o? Suing pubUc key algorithms with multivariate polynomials over finite fields is a very powerful 
idea (where only some too simple schemes are insecure) or not. 



• In this paper, we present what may be the most simple example: the original Oil and Vinegar signature 
scheme (of [9]) was broken (see [5]), but if we have significantly more "vinegar* unknowns than "oil" 
unknowns (a definition of the "oil" and "vinegar" unknowns can be found In section 2), then the attack 
of [5] does not work and the security of this more general scheme is still an open problem. 
Moreover, we show that, when we have approximately — vinegar unknowns for n oil unknowns, the 
security of the scheme is exactly equivalent (if we siccept a natural but not proved property) to the 
problem of solving a random set of n quadratic equations in ^ unknowns (with no trapdoor). This is 
a nice result, since it suggests that some partial proof of security (related to some simple to describe 
and supposed very difficult to solve problems) might be found for some schemes with multivariate 
polynomials over a finite field. However, we show that most of the systems of n quadratic equations 
in 71^ (or more) variables can be solved in polynomial complexity... We also study Oil and Vinegar 
schemes of degree three (instead of two). 

2 The (Original and Unbalanced) Oil and Vinegar of degree two 

Let K = Fg be a small finite field (for example K = F2). Let n and v be two integers. The message 
to be signed (or its hash) is represented as an element of iC", denoted by y = (yi,"-,y7i)- Typically, 
^ 2^^^. The signature x is represented as an element of K'^'^'" denoted by x = (xi, Xn+v)- 

Secret key 

The secret key is made of two parts: 

1. A bijective and affine function 5 : A*'*^^ K^'^'", By "affine^, we mean that each component of 
the output can be written as a polynomial of degree one in the n + v input unknowns, and with 
coefficients in A'. 

2. A set (5) of n equations of the following type: 

The coefficients jijk, >^ijk, ^ij, ^-j and 5; are the secret coefficients of these n equations. The 
values ai, Cn (the "oiP unknowns) and a{y < (the Vinegar" unknowns) lie in K. Note 
that these equations {S) contain no terms in aiaj. 

Public key- 
Let A be the element of K'"^'' defined by A = (ai, On, <). A is transformed into x = 5"^ (A), 
where s is the secret, bijective and affine function from AT'*'^ to K^'^'^, 

Each value yi, 1 < i < n, can be written as a polynomial Pi of total degree two in the xj unknowns, 
I < j < n We denote by {V) the set of these n equations: 

Vi, 1 < i < 71, yi = Pi{Xu Xn+v) (^). 

These n quadratic equations {V) (in the n -h t; unknowns Xj) are the public key. 

Computation of a signature (with the secret key) 

The computation of a signature x of y is performed as follows: 

Step 1: We find n unknowns of K and v unknowns < of A' such that the n equations 

(5) are satisfied. 

This can be done as follows: we randomly choose the u vinegar unknowns a<, and then we compute 
the Oi unknowns from {S) by Gaussian reductions (because - since there are no a^aj terms - the 
{S) 'equations are affine in the Oi unknowns when the a^- are fixed. 



Remark: If we find ao solution, then we simply try agsdn with new random vinegar unknowns. 
After very few tries, the probability of obtaining at least one solution is very high, because 
the probability for a n x n matrix over to be invertible is not negligible. (It is exactly 
(I - - - '^^)- For ? = 2, this gives approximately 30 %, and for g > 2, this 

probability is even larger.) 

Step 2: We compute x = 5"^ (A), where A = (ai, .., a^,a\, ...,a(;). x is a signature of y. 



Public verification of a signature 

A signature x of y is valid if and only if aU the {V) are satisfied. As a result, no secret is needed to 
check whether a signature is valid: this is an asymmetric signature scheme. 

Note: The name "Oil and Vinegar" comes from the fact that - in the equations [S) - the "oil 
unknowns" a,- and the "vinegar unknowns" Cy are not all mixed together: there are no (uaj products. 
However, in ("P), this property is hidden by the "mixing" of the unknowns by the 5 transformation. Is 
this property "hidden enough" ? In fact, this question exactly means: "is the scheme secure ?" , When 
t7 = n, we call the scheme "Original Oil and Vinegar", since this case was first presented Ln [9]. This 
case was broken in [5]. It is very easy to see that the cryptanalysis of [5] also works, exactly in the 
same way, when v < n. However, the cases v > n axe much more difficult. When t; > n, we call the 
scheme "Unbalanced Oil and Vinegar", The analysis of such schemes is the topic of this paper. 



3 A short description of the attack of [5]: cryptanalysis of the case 
V = n 

The idea of the attack of [5] b essentially the following: 

In order to separate the oil variables and the vinegar variables, we look at the quadratic forms of the 
n public equations of (7^), we omit for a while the linear terms. Let Gi for 1 < £ < n be the respective 
matrix of the quadratic form of Pi of the public equations (P). 

The quadratic part of the equations in the set {S) is represented as a quaxlratic form with a corre- 
sponding 2n X 2n matrix of the form ■ C ) ' upper left n x n zero submatrix is due to the 
fact that an oil variable is not multiplied by an oU variable. 

After hiding the internal variables with the linear function s, we get a representation for the matrices 
Gi = 5 ^ ^ ^* ^ 5*, where S is an invertible 2n x 2n matrix. 

Definition 3-1: We define the oil subspace to be the linear subspace of all vectors in K^^ whose 
second half contains only zeros. 

Definition 3.2: We define the vinegar subspace as the linear subspace of all vectors in K'^'^ whose 
first half contains only zeros. 

Lemma 1 Let E and F be a2nx2n matrices xsnth an upper left zero n x n submatrix. IfFis invertible 
then the oil subspace is an invariant subspace of EF~^. 

Proof: E and F map the oil subspace into the vinegar subspace. If F is invertible, then this mapping 
between the oil subspace and the vinegar subspace is one to one and onto (here we use the assumption 
that t; = 7i). Therefore maps back the vinegar subspace into the oil subspace this argument 
explains why the oil subspace is transformed into itself by EF~^. 



Definition 3.4: For an invertible matrix Gj, define Gij = GiGj . 



Definition 3.5: Let O be the image of the oil subspace by 5*"^. 
In order to find the oil subspace, we use the following theorem: 

Theorem 3.1 O is a common invariant subspace of all the matrices dj. 
Proof: 




The two inner matrices have the form of E and F in lemma 1. Therefore, the oil subspace is an invariant 
subspace of the inner term and O is an invariant subspace of G{GJ^. 

The problem of finding common invariant subspace of set of matrices is studied in [5]. Applying the 
algorithms in [5] gives us O. We then pick V to be an arbitrary subspace of dimension n such that 
V 4- O = A*^", and they give an equivalent oil and vinegar separation. 

Once we have such a separation, we bring back the linear terms that were omitted, we pick random 
values for the vinegar variables and left with a set of n linear equations with n oil variables. 

Note: Lemma 1 is not true any more when u > n. The oil subspace is still mapped by E and F into 
the vinegar subspace. However F~^ does not necessary maps the image by E of the oil subspace back 
into the oil subspace and this is why the cryptanalysis of the original oil and vinegar is not valid for 
the unbalanced case. 

This corresponds to the fax:t that, if the submatrix of z'eros in the top left corner of F is smaller than 
n X n, then F"^ does not have (in general) a submatrix of zeros in the bottom right corner. For example: 

\ 2 1 2 / V -"-^ 6 -3 / 

However, when u — n is small, we see in the next section how to extend the attack. 

4 Cryptaxialysis when v > n and v c:in 

In this section, we discuss the case of Oil and Vinegar schemes where v > n, although a direct application 
of the attack described in [5] and in the previous section does not solve the problem, a modification of 
the attack exists, that is applicable as long as t; — n is small. 

Definition 4.1: We define in this section the oU subspace to be the linear subspace of all vectors in 
A'""^^ whose last v coordinates are only zeros. 

Definition 4-2: We define in this section the vinegar subspace to be the linear subspace of all vectors 
in AT^'*'^ whose first n coordinates are only zeros. 

Here in this section, we start with the homogeneous quadratic terms of the equations: we omit the 

linear terms for a while. 

The matrices d have the representation 




where the upper left matrix is the n x n zero matrix, A,- is a n x u matrix, B,- is a u x n matrix, Ci i 
a v X u matrix and S is a (n + u) x (n + u) invertible linear matrix. 



Definition 4.3: Define Ei to be ^ ^ C'^ ) 

Lemma 2 i*br any matrta: E that has the form ^ ^ ^ ^ ' following holds: 

a) E transforms the oil subspace into the vinegar subspace. 

b) If the matrix E~^ exists, then the image of the vinegar subspace by E~^ is a subspace of dimension 
V which contains the n- dimensional oil subspace in it. 

Proof; a) follows directly from the definition of the oil and vinegar subspaces. When a) is given 
then b) is immediate. 

The algorithm we propose is a probabilistic algorithm. It looks for an invariant subspace of the oil 
subspace after it is trajisformed by 5. ■ The probability for the algorithm to succeed on the first try is 
small. Therefore we need to repeat it with different inputs. We use the following property: any linear 

combination of the matrices J?i, En is also of the form ^ ^ ^ ) 

The following theorem explains why an invariant subspace may exist with a certain probability. 

Theorem 4.1 Let F be an invertible linear combination of the matrices E\, £^71- Then for any k 
such that E^^ exists, the matrix FE^^ has a non trivial invariant subspace which is also a subspace of 
the oil subspace, with probability not less than -^rzi d = v — n. 

Proof: The matrix F maps the oil subspace into the vinegar subspace, the image by F of the oil 
subspace is mapped by E^^ into a subspace of dimension v that contains the oil subspace — these are 
due to lemma 1. We write v = n -h rf, where d is a small integer. The oil subspace and its image by 
FE^^ are two subspaces with dimension n that reside in a subspace of dimension n + d. Therefore, 
their intersection is a subspace of the oil subspace with dimension not less than n — We denote the 
oil subspace by Iq and the intersection subspace by /i. Now, we take the inverse images by FE]^^ of 
III this is a subspace of Iq (the oil subspace) with dimension not less than n - d and the intersection 
between this subspace and 7i is a subspace of Ji with dimension not less than n — 2d. We call this 
subspace l2- We can continue this process and define h to be the intersection of /^-i and its inverse 
image by FEk—l- These two subspaces have co-dimension not more than d in 7^-2- Therefore, It has 
a co-dimension not more than 2d in I ox a co-dimension not more than d in 7/_i. We can carry on 
this process as long as we are sure that the inverse image by FFJ^ of 7^ has a non trivial intersection 
with It. This is ensured as long as the dimension of h \s greater than d, but when the dimension is d 
or less than d, there is no guaranty that these two subspaces - that reside in 7^_i - have a non trivial 
intersection. We end the process with h that has dimension < d that resides in 7;-i with dimension 
not more than 2d. 

We know that the transformation {EG^^)'^ maps h into 7^_i. With probability not less than ^I^CTi 
there is a non zero vector in It that Ls mapped to a non zero mutiple of itself - and therefore there is a 
non trivial subspace of FEk^l which is also a subspace of the oil subspace. 

Note: It is possible to get a better result for the expected number of eigenvectors and with much 
less effort: 7i is a subspace with dimension not less than n - d and is mapped by FE]^^ into a subspace 
with dimension n. The probability for a non zero vector to be mapped to a non zero multiple of itself 
is -2fii-. To get the expected value, we multiply it by the number of non zero vectors in 7i. It gives 

a value which is not less than ^'^"^|^nl7^"^^ • Since every eigenvector is counted g - 1 times, then the 

expected number of invariant subspcaes of dimension 1 is not less than ^^I.^^ ~ q'"^- 

We define O as in section 3 and we get the following result for O: 

Theorem 4.2 Let F be an invertible linear combination of the matrices d; Gn- Then for any k 
such that Gl^ exists, the matrix FG];^' has a non trivial invariant subspace, which is also a subspace 
ofO with probability not less than -^Zi f^'^ d=v-n. 



Proof: 

The inner term is an invariant subspace of the oil subspace with the required probability. Therefore, 
the same will hold for FG'^^, but instead of a subspace of the oil subspace, we get a subspace of 

How to find O ? 

We take a random linear combination of Gi, Gn and multiply it by an inverse of one of the Gjt 
matrices. Then we calculate all the minimal invariant subspaces of this matrix (a minimal invariant 
subspace of a matrix A contains no non trivial invariant subspaces of the matrix A - these subspaces 
corresponds to irreducible factors of the characteristic polynomial of A). This can be done in proba- 
bilistic polynomial time using standard linear algebra techniques. This matrix may have an invariant 
subspace wich is a subspace of O. 

The following lemma enables us to distinguish between subspaces that are contained in O and random 
subspaces. 

Lemma 3 If H is a linear subspace and H Q O, then for every y in H and every ij Gi{x^y) = 0 
(here we regard Gi as a bilinear form). 

Proof: There are z' and i/ in the oil subspace such that = xS"^ and y' = yS"^, 
The last term is zero because z' and y' are in the oil subspace. 

This lemma gives a polynomial test to distinguish between subspax:es of O and random subspaces. 
If the matrix we used has no minimal subspace which is also a subspace of O, then we pick another 
linear combination of Gx, C?n, multiply it by an inverse of one of the Gk matrices and try again- 
After repeating this process approximately q~'^^^ times, we find with good probability at least one zero 
vector of O. We continue the process until we get n independent vectors of O. These vectors span O. 
The expected complexity of the process is proportional to g'^^^^n"^. We use here the expected number 
of tries until we find a non trivial invariant subspace and the term n"* covers the computational linear 
algebra operations we need to perform for evey try. 

5 The cases v ^ {or v > ^) 

Property 

Let (A) be a random set of n quadratic equations in (n + v) variables zi, Zn+v- (By "random" we 
mean that the coefficients of these equations are uniformly and randomly chosen). When v (and 
more generally when v > there is probably - for most of such (A) - a linear change of variables 
(zi, Zn-H/) ^ (2^L» ^^n+v) such that the set {A') of (A) equations written in (z^, x'^^) is an "OU 
and Vinegar" system (i.e. there are no terms in Z; • Zy with i <n and j <n). 

An argument to justify the property 

Let / y / 

' Zi = QfijZi + ai,2X2 + + Ctl^n-^v^n^v 

< ; 

, Zn-i-v = Q^n+va^l + Qrn4.tf,222 + — + <^n+v,n+v ^n+v 

By writing that the coefficient in all the n equations of {A) of all the z- • x'j {i < n and j < n) is zero, 
we obtain a system of n • n • quadratic equations in the {n + v)-n variables a^j {1 < i < n + v, 
I < j < n). Therefore, when v > approximately we may expect to have a solution for this system 
of equations for most of {A)- 



Remarks: 

1. This argument is very natural, but this is not a complete mathematical proof. 

2. The system may have a solution, but finding the solution might be a difficult problem. This is 
why an Unbalanced Oil and Vinegar scheme might be secure (for well chosen parameters) : there 
is always a linear change of variables that makes the problem easy to solve, but finding such a 
change of variables might be difficult. 

3. In section 7, we will see that, despite the result of this section, it is not recommended to choose 

6 Solving a set of n quadratic equations in k unknowns, k > is 
NP-hard 

We present in section 7 an algorithm that solves in polynomial complexity more than 99% of the sets 
of n quadratic equations in ri^ (or more) variables (i.e. it will probably succeed in more than 99% of 
the cases when the coefficients are randomly chosen). 

Roughly speaking, we can summarize this result by saying that solving a "random" set of n quadratic 
equations in (or more) variables is feasible in polynomial complexity (and thus is not NP-hard if 
P ^ iVP). However, we see in the present section that the problem of solving any (i.e. 100%) set of n 
quadratic equations in A: > n variables (so for example in fc = variables) b NP-hard ! 
To see this, let us assume that we have a black box that takes any set of n quadratic equations with k 
variables in input, amd that gives one solution when at least one solution exists. Then we can use this 
black box to find a solution for any set of n quadratic equations in ti variables (and this is NP-hard) . 
We proceed (for example) as follows. Let {A) be a set of (n - 1) quadratic equations with (n - 1) 
variables xi, X2, Xn-i- Then let yi, be a more variables. 

Let (S) be the set of {A) equations plus one quadratic equation in yi, t/a (for example the equation: 
(y^ ... -|_ y^)2 1^ Theu {B) is a Set of exactly n quadratic equations in (n + l + oi) variables. It is 
clear that from the solution of {B) we will immediately find one solution for {A). 

Note 1: {B) has a very special shape ! This is why there is a polynomial algorithm for 99% of the 
equations without contradicting the fact that solving these sets {B) of equations is a NP-hard problem. 

Note 2: For (S), we can also add more than one quadratic equations in the variables and we can 
linearly mix these equations with the equations of (A). In this case, (B) is still of very special form 
but this very special form is less obvious at fixst glance since all the variables X{ and yj are in all the 
equations of {B). 



7 A generally eflScient algorithm for solving a random set of n quadratic 
equations in (or more) unknowns 

In this section, we describe an algorithm that solves a system of n randomly chosen quadratic equations 
in n + V variables, when v > n?. 
Let (*S) be the following system: 

l<i<i<7i-H; l<t*<Ti-H/ 

(5) ] ; 

E aijrtXiXj + E ^in^i + = 0 
l<«<i<«-hv i<t*<n-hv 

The main idea of the algorithm consists in using a change of variables such as: 

Xl = QrL,lt/l + <^2,l2/2 + — + OCn^iyn + a„+i^iyTi-(.i + ... + O^rx^v^Vn-i-v 



whose Oij coefficients (for 1 < i < 1 < j < n 4- are found step by step, in order that the resulting 
system (S') (written with respect to these new variables t/i, yn^^) is easy to solve. 

• We begin by choosing randomly ai^i, ai^^^^, 

• We tlien compute Qr2,i» —» Cfc2,n+v such that [S^) contains no yiyz terms. This condition leads to 
a system of n linear equations on the (n + v) unknowns a2j {I < j < n +v): 

^3kCXx^iOl2,j - 0 (1 < ^ < n). 

l<':<><n+v 

• We then compute aa^i, Ofs.n+u such that («S') contains neither y\yz terms, nor yzV^ terms. This 
condition is equivalent to the following system of 2n linea^r equations on the {n + v) unknowns 
.<^3J (1 < J < 71 + v): 

l<t<i<n+v 
l<£<j<n+v 



Finally, we compute a^,!? —i Q;n,n+v such that {S') contains neither yij/n terms, nor yzyn terms, 
nor yn-iJ/Ti terms. This condition gives the following system of (n — l)n linear equations on 
the (n + v) unknowns anj (1 < j < n 4- v): 

E aijkdi^iOirtj =0 {l<k<n) 

l<»<J<n+v 

E OijkCtn^l^iO^nJ = 0 (1 <,k < n) 

< l<t<i<n+v 

In general, all these Enear equations provide at least one solution (found by Gaussian reductions). In 
particular, the last system of n(7^ — 1) equations and (n + v) unknowns generally gives a solution, as 
soon as n -h u > n(n — 1), i.e. v > n{n — 2), which is true by hypothesis. 

/ Ofi,! \ / an,! \ 

Moreover, the n vectors : , i are very likely to be linearly independent for a 

random quadratic system (*S). 

The remaining aij constants (i.e. those with 1 < i < n + v and 1 < j < n + 1) are randomly 
chosen, so as to obtain a bijective change of variables. 

By rewriting the system (5) with respect to these new variables yi, we are led to the following system: 
(50 

E Pi^nVi + yii^l,n(yn+l, yn+t;) + — + VnLr^^niyr^^li --i yn+v) + <3n (yn+1 , Vn^v) = 0 
t=l 

where each Lij is an affine function and each Qi is a quadratic function. 
We then compute yn+ii --i Vn-^-v such that: 

Vi, 1 < i < n, Vj, 1 < J < n + V, Lij(yn+i, .-Myrt+v) = 0. 

This is possible because we have to solve a system of equations and v unknowns, which generally 
provides at least one solution, as long as t; > n^. 



It remains to solve the following system of n equations on the n unknowns y^, y„: 



^ ^1 



where Ajt = -<5jt(yn+i) -Myn+v) (1 < < n). 
In general, this gives the yf byjGaussian reduction. 
-.-VfT 7>"-^ H'^'--^' CiT /L' -*'-^J'-*-o 



8 A variation with twice smaller signatures 



In the UOV described in section 2, the public key is a set of n quadratic equations y: = Pi{xi, x^^.^/), 
for 1 < i < 71, where y = (yi, yn) is the hash value of the message to be signed. If we use a collision- 
free hash function, the hash value must at least be 128 bits long. Therefore, must be at least 2^^, 
so that the typical length of the signature, if v = 2n, is at least 3 x 128 = 384 bits. 
As we see now, it is possible to make a small variation in the signature design in order to obtain twice 
smaller signatures. The idea Ls to keep the same polynomial Pi (with the same associated secret key), 
but now the public equations that we check aire: 

Vi, H-£,-(yi,.,.,yn,a:i,...,Xn-H.) =0, 

where Li is a linear function in (a:i, ...,x„^.v) and where the coefficients of Li are generated by a hash 
function in (yi, ...,yn)- 

For example Li(yi, 2:1, -m arn-H;) = 0(i2:i-|-a2a;2+."+Qrn+va:„-t.v, where (01,012, ..,,orrt^^) =Hash(yi, 

-••1 ynllO- Now, n can be chosen such that > 2^ (instead > 2^^). (Note: must be > 2®^ in 
order to avoid exhaustive search on a solution x). If u = 2n and 2^^, the length of the signature 

will be 3 X 64 = 192 bits. 



9 Oil and Vinegar of degree three 
9-1 The scheme 

The quadratic Oil and Vinegaj schemes described in section 2 can easily be extended to any higher 
degree. We now present the schemes in degree three. 

Variables 

Let K be a small finite field (for example K = F2). Let ai, On be n elements of K, called the 
"oil" unknowns. Let a'^^, a^, be u elements of K, called the 'Vinegar^ unknowns. 

Secret key- 

The secret key is made of two parts: 

1. A bijective and affine function 5 : K"^"^" 

2. A set {S) of n equations of the following type: 
Vt < yi = Y^-fijkta^a'^a'^+Y^^i^uofj^^^^^ 

The coefficients 7ijjt, t^ijkt, >^ijk, ^ijk, ?tj, ^ij and Si are the secret coefficients of these n equations. 
Note that these equations («S) contain no terms in aja^at or in aja^i the equations are affine in 
the aj unknowns when the unknowns are fixed. 



Public key 

Let A be the element of A''^+^ defined by A = (ai, a„, a'^, <). A is transformed into x - s'^{A), 
where s is the secret, bijective and affine function from K^'^^ to A'"'^''. Each value t/t, 1 < « < n, can 
be written as a polynomial i^- of total degree three in the Xj unknowns, 1 < i < n -I- v. We denote by 
{V) the set of the following n equations: 

Vz\ 1 < i < n, yi = f> (ri, x^+t,) (P). 

These n equations (7^) are the public key. 

Computation of a signature 

Let y be the message to be signed (or its hash value) . 

Step 1: We randomly choose the v vinegax unknowns a'-, and then we compute the a,- unknowns from (<S) 
by Gaussian reductions (because - since there are no a^-ay terms - the («S). equations are aflfine in 
the a{ unknowns when the a'- are fixed. (If we find no solution for this affine system of n equations 
and 71 '^oil" unknowns, we just try again with new random ' 'Sdnegar" unknowns.) 

Step 2: We compute x = 5~^(A), where A = {ax, ...^0^, a^, aQ. x is a signature of y. 

Public verification of a signature 

A signature x of y is valid If and only if all the ('P) are satisfied. 

9.2 First cryptanalysis of Oil and Vinegar of degree three when v < n 

We can look at the quadratic part of the public key and attaxJc it exactly as for an Oil and Vinegar of 
degree two. This is expected to work when v <7i. 

Note: If there is no quadratic part (i.e. is the public key is homogeneous of degree three), or if this 
attack does not work, then it is always possible to apply a random affine change of variables and to try 
again. Moreover, we will see in section 9.3 that, surprisingly, there is an even easier and more efficient 
attack in degree three than in degree two ! 

9.3 Cryptanalysis of Oil and Vinegar of degree three when v < (L + \/3)n and K is 
of characteristic 2 (from an idea of D. Coppersmith, cf [Ij) 

The key idea is to detect a "linearity" in some directions. We search the set V of the values d = 
{di, dn^v) such that: 

Vx, Vt, 1 < t < n, Pi{x + i) + Pi{x - d) = 2Fi{x) (#). 

By writing that each xjt indeterminate has a zero coefficient, we obtain n ■ (n + u) quadratic equations 
in the (n 4- v) unknowns dj. 

(Each monomial XiXjXk gives {xj + dj){xk + dk)ixt + di) + [xj - dj){xk - dk){xt - dt) - 2xjXkXi, i.e. 

2{xjdkdt + Xkd^di + xid^dk)^) - t. - , 

Furthermore, the cryptanalyst can specify about n - 1 of the coordinates dk of d, smce the vectonal 
space of the correct d is of dimension n. It remains thus to solve n- (n+v) quadratic equations in + 
unknowns dj. When v is not too large (typically when ^^^^y^ < Ti(n + u), i.e. when t; < (1 + V^)n), 
this is expected to be easy. 

As a result, when v < approximately (1 + v^)n and \K\ is odd, this gives a simple way to break the 
scheme. 

Note 1: When v is sensibly greater than (1 + \/3)n (this is a more unbalanced limit than what we 
had in the quadratic case) , we do not know at the present how to break the scheme. 



Note 2: Strangely enough, this cryptanalysis of degre three Oil and Vinegar schemes does not work 
on degree two Oil and Vinegar schemes. The reason is that - in degree two - writing 

Vz, Vi, l<i<n, Pi{x + d) + Pi{x - = 2Pt(a:) 

only gives n equations of degree two on the (n + v) dj unknowns (that we do not know how to solve). 
(Each monomial XjXk gives (zy + d^)(xk + dk) + {xj - dj){xk - d^) - 2xjXk, i.e. 2dydk^) 

Note 3: In degree two, we have seen that Unbalanced Oil aind Vinegar public keys are expected 
to cover almost ail the set of n quadratic equations when v ~ In degree three, we have a similar 
property: the public keys axe expected to cover almost all the set of n cubic equations when t; ^ 
(the proof is similar) . 

10 Public key length 

It is always feasible to make some easy transformations on a public key in order to obtain the public key 
in a canonical way such that this canonical expression is slightly shorter than the original expression- 
First, it is always possible to publish only the homogeneous part of the quadratic equations (and not 
the linear part), because if we know the secret affine change of variables, then we can solve P{x) = y in 
an Oil and Vinegar scheme, we can aJso solve P{x) L{x) = y, where L is any linear expression with 
the same affine change of variables. It is thus possible to publish only the homogeneous part P and to 
choose a convention for computing the linear part L of the public key (instead of publishing L). For 
example, this convention can be that the linear terms of L in the equation number i {1 < i < n) are 
computed from Hash(f||/d) (or from Hash(i||P)), where Hash is a public hash function and where Id 
is the identity of the owner of the secret key. 

On the equations, it is also possible to: 

1. MaJke linear and bijective changes of variable x' = A(x). 

2. Compute a linear and bijective transformation on the equation: = ^f^)- (For example, the 
new first equation can be the old first plus the old third equation, etc). 

By combining easily these two transformations, it is always possible to decrease slightly the lenght of 
the public key. 

Idea 1: It is possible to make a change of variable such that the first equation is in a canonical 
form (see [6], chapter 6). With this presentation of the public key, the length of the public key will be 
approximately times the Initial length. 

Idea 2: Another idea is to use the idea of section 7, i.e. to create a square of A x A zeros in the 
coefficients, where A y/n + v. With this presentation, the lenght of the public key is approximately 
^^'^g'^;]?^^^ times the initial length. 

Remark: As we will see in section 12, the most efficient way of reducing the length of the public 
key is to choose carefully the values q and n. 

11 Summaxy of the results 

The underlying field is if = Fg with q~ p^. Its characteristic is p. 

"As difficult as random" means that the problem of breaking the scheme is expected to be as difficult 
as the problem of solving a system of equations in v variables when the coefficients are randomly chosen 
(i.e. with no trapdoor). 
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iNot Broken 


Not broken and as 
difBrtilt as ra^ndoTTi 


Broken (despite as 
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2 (for aU p) 


V < n 


71 < < ^ 




V > 


3 (for p = 2) 




{l + VZ)n< v<^ 


^ < < ^ 




3 (for p # 2) 


u < n 


71 < V < ^ 







In this table, we have summarized our current results on the attacks on Unbalanced Oil and Vinegar 
schemes. The original paper ([5]) was only studying the case t; = n for quadratic equations. 



12 Concrete examples of parameters 

In all the examples below, we do not know how to break the scheme. We have arbitrary chosen t; = 2n 
(or V = 37i) in ail* these examples (since v < n and v > ti^ are insecure). 

Example 1: iif = F2, n = 128, v = 256 (or v — 384). The signature scheme is the one of section 
2. The length* of the public key is approximately n - ( ^^^^^ ) bits. This gives here a huge value: 
approximately 1.1 Mbytes (or 2 Mbytes) ! The length of the secret key (the s matrix) is approximately 
(n + u)^ bits, i.e. approximately 18 Kbytes. However, this secret key can always be generated from a 
small secret seed of, say, 64 bits. 

Example 2: K = F2, n = 64, v = 128 (or v = 192), The signature scheme is the one section 8. The 
length of the public key is 144 Kbytes (or 256 Kbytes). 

Example 3: K =^ Fis, n = 16, v = 32 (or v = 48). 5 is a secret aflBLne bijection of Fis- The signature 
scheme is the one section 8. The length of the public key is 9 Kbytes (or 16 Kbytes), 

Example 4: K = Fis, n = 16, u = 32 (or v = 48). 5 is a secret affine bijection of F15 such that all 
its coefficients lie in F2- Moreover, the secret quadratic coefficients are also chosen in F2, so that the 
public functions Pi, 1 < i < are n quadratic equations in (n -h u) unknowns of Fis, with coefficients 
in F2. In this case (the signature scheme is still the one of section 8), the length of the public key is 
2.2 Kbytes (or 4 Kbytes). 

Note: In all these examples, > 16 in order to avoid Grobner bases algorithms to find a solution x, 
and > 2^'* in order to avoid exhaustive search on x, 

13 Conclusion 

The original Oil and Vinegar signature algorithm had a very efficient cryptanalysis (cf [5])- Moreover, 
we have seen in this paper that Oil and Vinegar schemes are often not more secure in degree three than 
in degree two. However, surprisingly, some of the very simple variations called ''Unbalanced Oil and 
Vinegar" described in this paper have so far resisted all attacks. The scheme is still very simple, very 
fast, and its parameters can be chosen in order to have a reasonable size for the public key. Its security 
is an open problem, but it is interesting to notice that - when the number of "Vinegar unknowns" 
becomes approximately ^ (for n *'oil unknowns") - then (if we accept a natural property) the scheme 
is as hard to break as a random set of n quadratic equations in ^ unknowns (with no trapdoor). 
This may give hope to obtain more concrete results of security on multi^-ariate polynomial public key 
cryptography. 
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CLAIMS 



1. A digital signature cryptographic method comprising: 

supplying a set S 1 of k polynomial functions as a public-key, the 
5 set SI including the functions Pi(xi,,..,Xn+v, Yi, - v-yk),. Pk(xi,,..,Xn-Kv, Yi, ..,yk)> 
where k, v, and n are integers, Xi,...,Xn+v are n-Hv variables of a first type, yi,. . .,yic 
are k variables of a second type, and the set SI is obtained by applying a secret 
key operation on a set S2 of k polynomial functions 

P'i(ai,...,a„+v,yi,. . .,yk),. . .,P'k(ai,...,a„+v,yi,. . .Yk) where ai,..,,an+v are n+v 
10 variables which include a set of n "oil" variables ai,,..,a„, and a set of v "vinegar" 
variables ao+i,...,an+v; 

providing a message to be signed; 

applying a hash function on the message to produce a series of k 
values bi,...,bk; 

15 substituting the series of k values bi,. . .,bk for the variables yi, . . .,yk 

of the set S2 respectively to produce a set S3 of k polynomial functions 
P"i(ai,.,.,a„+v),..., P"k(ai,...,a„+v); 

selecting v values a'n+i,...,a'n+v for the v "vinegar" variables 

an+u---»an+v; 

20 solving a set of equations P"i(ai,..,,an,a'„+i,...,a'n+v)=0,..., 

P"k(ai,...,aa,a'„+i,...,a'„+v)=0 to obtain a solution for a*i,...,a'n; and 

applyiQg the secret key operation to transform a'i,...,a'n+v to a 
digital signature ei,...,en+v 

25 2, A method according to claim 1 and also comprisiug the step of 

verifyiag the digital signature. 



3. A method according to claim 2 and wherein said verifying step 

comprises the steps of: 



obtaioing the signature ei,...,en+v, the message, the hash function 
and the public key; 

applying the hash function on the message to produce the series of 
k values bi, . . . ,bk; and 
5 verifying that tifcie equations Pi(ei,,..,en+v,bu...,bi,)=0,..., 

Pk(ei,...,e„+v, bi,...,bk)=0 are satisfied, 

4. A method according to any of claims 1-3 and wherein the set S2 
comprises tiie set f(a) of k polynomial functions of the HFEV scheme, 

10 

5. A method according to any of claims 1-3 and wherein the set S2 
comprises flie set S of k polynomial functions of the UOV scheme. 

6. A method according to any of claims 1-5 and wherein said 
15 supplying step comprises the step of selecting the ntmiber v of "vinegar" 

variables to be greater than the number n of "oil'* variables. 

7. A method according to any of claims 1-5 and wherein v is selected 
such that q"" is greater than 2^^ where q is the niraiber of elements of a finite field 

20 K, 

8. A method according to any of claims 1-5 and wherein said 
supplying step comprises the step of obtaining the set SI from a subset S2' of k 
polynomial functions of the set S2, the subset S2' being characterized by that all 

25 coefficients of components involving any of the yi,...,yk variables in the k 
polynomial functions P^(ai,...,a„+v,yi, ..,yk),- .,P\(ai,...,an+v,yi,...,yk) are zero, 
and the number v of "vinegar" variables is greater than the number n of "oil" 
variables. 



9. A method according to claim 8 and wherein the set S2 comprises 
the set S of k polynomial functions of the UOV scheme, and tiie nxmiber v of 
'^nnegaf' variables is selected so as to satisfy one of the following conditions: 

(a) for each characteristic p of a field K in an "Oil and Vinegar*' 
5 scheme of degree 2, v satisfies the inequahty q^^'^^^^x n"* > 2^, 

(b) for p = 2 in an "Oil and Vinegar*' scheme of degree 3, v is 
greater than n*(l sqrt(3)) and lower than or equal to n^/6, and 

(c) for each p other than 2 in an "Oil and Vinegar^' scheme of degree 
3, V is greater than n and lower than or equal to n^/6. 
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10. A method according to any of claims 1-9 and wherein said secret 
key operation comprises a secret afHne transformation s on the n+v variables 

ai,...,an-rv- 

15 11. A method according to claim 4 and wherein said set S2 comprises 

an expression including k functions that are derived from a univariate 
polynomial. 

12. A method according to claim 11 and wherein said univariate 
20 polynomial includes a univariate polynomial of degree less than or equal to 

100,000, 

13. A cryptographic method for verifying the digital signature of claim 
1, the method comprising: 

25 obtaining the signature ei,...,en+v, the message, the hash function 

and the public key; 

applying the hash function on the message to produce the series of 
k values bi,, . .,bk; and 



verifying that the equations Pi(ei,...,en+v,bi,.,.,bk)=0,.,., 
Pk(ei,...,e„+v, bi,...,bk)=0 are satisfied. 

14. In an "Oil and Vinegar" signature method, an improvement 
5 comprising the step of using more 'Vinegar" variables than "oil" variables. 

15. A method according to claim 14 and wherein the number v of 
vinegar^' variables is selected so as to satisfy one of the following conditions: 

(a) for each characteristic p of a field K and for a degree 2 of the 
"Oil and Vinegar" signature method, v satisfies the inequality q^""""-^ 

(b) for p = 2 and for a degree 3 of the "Oil and Vinegar" signature 
method, v is greater than n*(l + sqrt(3)) and lower than or equal to 
nV6, and 

(c) for each p other than 2 and for a degree 3 of the "Oil and 
Vinegar^' signature method, v is greater than n and lower than or 
equal to n^/6. 
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Abstract of the disclosure 

The invention provides for a cryptographic method for 
digital signature • 

A set Si of k polynominal functions Pk (Xi, ...Xn+v^ Yi-f Yk) 
are supplied as a public key, where k, v and n are 
integers, Xi, Xn+v/ n+v are variables of a first type and 
yi/."/yjc/ are k variables of a second type, the set Si being 
obtained by applying (100) a secret key operation on a 
given set S2 of k polynominal functions k (ai, an+v/ 
yi/.-./Yk)/ ai,...,an+v designating n+v variables including a set 
of n "^oil^' and v "vinegar" variables. 

A message to be signed is provided (105) and submitted 
(110) to a hash function to produce a series of k values 
(bi,..,,bk) . These k values are substituted (115) for the k 
variables (yi,.»,yk) of second set S2 to produce a set S3 of 
k polynominal functions P"k (ai, ar>+v) ^ and v values are 
selected (120) a' n+i/ ..-/ a' n+v for the v ""vinegar" variables. A 
set of equations P''k (ai, .../ an+v) = 0 is solved (125) to obtain 
a solution for (a' 1, a' „) and the secret key operation is 
applied (130) to transform the solution to the digital 
signature . 
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FIG. 2A 

i ^100 

A generator of a public-key supplies a set SI of k 
polynomial functions as a public-key, where tlie set S 1 
includes the functions 

Pi(x,,...,x„+v, yi,.-.yk),.--, Pk(xi,-,x„+v, yi,....yk). with 

k, V, and n being integers, xi,...,x„+v being n+v vaiiables 
of a first type, and yi,. . .,yic being k variables of a second 
type, and the set S 1 being obtained by applying a secret key 
operation on a set S2 of k polynomial functions 
P',(ai,...,a„+v,yi,. ,yt).- -.P'lcCai. .,a„+v,yi,- .,yk) with 
ai,...,a„+v being n+v variables which include a set of n "oil" 
variables ai,....a,„ and a set of v "vinegar" variables an4^t,...,anfv. 



A message to be signed is provided 



A signer of a digital signature applies a hash fuiiclion 
on the message to produce a series of k values bi,. . .,bk 


\ 


f /lis 


The signer substitutes the series 
of k values bi,...,bic for the variables yi,...,yk of the 
set S2 respectively so as to produce a set S3 of k 
polynomial functions P"i(a,,...,anfv), P"k(ai,...,a„,v) 


\ 


f /1 20 


The signer selects v values 

a'n+i, ,a'„+v for tlie v "vinegar" variables anH, ,anH v 


\ 


f ^125 



The signer solves a set of equations 

P"l(ai,.-,an,a'n+l,...,^'n+v)~0>- P"k(a|,...,an,a'n^ 1 j"->a'n+v)~0 

to obtain a solution for a'l,...,a^^ 



^130 

The signer applies the secret key operation to 

transform a'i,...,a'n+v to the digital signature ei,...,enhv 

1 
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FIG. 2B 
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A verifier of a digital signature obtains the signature 
ei,...,en+v, the message, the hash function and tlie public key 



205 



The verifier applies the hash function on the message to 
produce the series of k values b|,...,bk 



.210 



The verifier verifies the digital signatuie by verifying that the 
equations Pi(ei,...,e„+v,bi,...,bk)=0,..., Pk(ei,...,e„^v, bi,...,bic)=0 
are satisfied. 
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